Hostname not verified when decorating Gitlab Merge Requests

  • SonarQube version 8.3.1
  • SonarQube will not decorate Merge Requests due to Gitlab having a self signed SSL certificate.

java.lang.IllegalStateException: Hostname <GitLab Hostname> not verified:

We are unable to give it anything other than a self signed certificate in our environment. Is there a way that we can disable SSL verification for the MR decoration?

Sonarqube works fine otherwise.

Hi, no you can’t turn off the SSL verification. What you can do is generate a valid, self-signed SSL certificate that includes the hostname and aliases. More specifically, you need to add the X509v3 Subject Alternative Name extension to your certificate.

Hi Pierre,

I’ve created a SAN certificate and added it to the keystore, however the issue still remains. I’m thinking that Sonar is not reading the new certificate and still giving the same error. Do you have any other suggestions?

Are you actually using that new certificate on gitlab or did you only add it to the sonarqube keystore? The latter won’t do anything.

I added it to GitLab as well.

Hi @claybuxton ,

would you mind taking us on a little debugging tour? :slight_smile:
I think that there is something wrong with the certificate or the keystore but we need to find out what, so let’s burrow the old SSLPoke from Atlassian and see if this one is able to connect successfully

javac SSLPoke.java
java SSLPoke server 443

this will basically just try to create a TLS session with the server you provide on the port you provide and fail if this session can not be validated. if this is failing, then we know that the error is the keystore or the certificate for sure.

the next point to look for information is to extract the archive and have a look at the extensions using javas keytool:

keytool -list -v -keystore path_to_keystore_file
keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_certificate_file

where:

  • alias_name: Specifies the same alias that was used to generate the certificate.
  • path_to_keystore_file: Specifies the same KeyStore path that was used to generate the certificate.
  • path_to_certificate_file: Specifies the exported certificate file, often given an extension of .cert.

you should be able to check the resulting certificate using openssl

hope that gives us a little more insight what’s going on here :slight_smile: